Selecting Enterprise Email Security: Scaling to the Enterprise

Posted under: Research and Analysis

As we continue down the road of Selecting Enterprise Email Security, let’s hone in on the “E” word – Enterprise. Email is a universal application, and scaling up protection to the enterprise is all about managing the email security in a consistent way. So in this post, we’ll dig into selecting the security platform, integrating with other enterprise security controls, and finally some adjacent services that can improve the security of your email and should be considered as part of broader protection.


The first decision is choosing the platform on which to build your email security. Before you get into one vendor versus another, first you have to determine where the platform will run: cloud or on-prem. Although it’s not that much of a decision anymore. To be clear, there are certain industries and use cases that will favor one over the other. But in terms of the overall trend, email security is moving to the cloud.

The cloud is pretty compelling for email security because some aspects of managing the platform are no longer your problem. When you get hit with a spam flood, if you have the platform in the cloud, upgrading the devices is not your problem. When the underlying product needs to be updated, patching it is not your problem. You don’t have to make sure detections are updated.

The cloud provider takes care of all of that, and that means you can focus on other stuff. Thus you’ve taken advantage of the cloud security shared responsibilities model and made your problem(s) into the provider’s problem. Bravo!

Another aspect of the enterprise email security environment is the ability to recover and keep business working in the event of a mail system outage. Your email security platform can provide resilience/continuity to your email system by sending and receiving messages, even if the email system is down (or shaky). If you’ve ever had a widespread email outage (and lived to tell the tale), this one is a no-brainer in that ensuring the flow of messaging tends to be Job 1, 2 and 3 for the IT group.

So is there a use case and/or industry where an on-prem email security gateway makes sense? It’s in highly sensitive environments where the email absolutely, positively cannot run through a service provider’s network. Of course, email encryption gives you the ability to protect the mail even as it goes through the cloud, but that adds a lot of overhead and complexity. There are some industries/verticals (think national security) where the cloud isn’t acceptable. Or should we say, isn’t acceptable yet, since we believe that at some point you’ll look back nostalgically at your data center — kind of like how you think about your wired telephone.

To ensure we don’t leave any question about our position, besides those kinds of high-security environments, we believe your email security platform should reside in the cloud.

Content Protection

Blocking malicious email is the top requirement of the email security platform, but a close second is advanced content protection. This could involve doing DLP-like scanning of the messages and encrypting messages and/or attachments, depending on the content in the message and the enterprise policies. At this point, most of the email security offerings will provide content analysis and typically built-in encryption.

In terms of content analysis, you’ll want sophisticated content analysis to be a core feature of the offering. That means “DLP-light,” which we described years ago (Intro, Technologies, Process). It’s not full DLP but provides sufficient content analysis to detect sensitive data and provides the customization necessary for your specific data.

The platform should be able to fingerprint sensitive data types and use both built-in, industry-specific, and customizable dictionaries to pinpoint sensitive content. Once a potential violation is identified, you’ll want sufficient policy granularity for the content to enable different actions depending on message content, destination, attachment, etc. The more involved the employee can be in handling those issues (with reporting and oversight, of course) the less the central security team will get bogged down dealing with the DLP alerts (a huge issue for full DLP solutions).

Speaking of actions, depending on the content analysis and policy, the message in question could be blocked or automatically encrypted. The most prevalent means of email encryption is the secure delivery server, which provides the ability to control the encrypted files by having the email encrypted and sent to a secure messaging service/server. The recipient gets a link to the secure message, and after proper authentication can access the message via the secure email service. Having the sensitive data in a place you can control allows you to set policies regarding expiration, printing, replying and forwarding, etc. to reflect the sensitivity of the content.


The base email security platform scans your inbound email, drops the spam, analyzes and explodes attachments, rewrites URLs, identifies imposter attacks, looks for sensitive content, and possibly encrypts a subset of messages that cannot leave your environment in the clear. But to scale email security to your enterprise, you’ll want to integrate the platform with your other enterprise controls.

Email Platform

The one integration point that rises above all others is your email platform, especially if the platform is in the cloud (for example, Office 365, G Suite). It’s trivial to route your inbound email to the security platform and then have the clean email sent onto the server. The integration comes in to protect outbound email and also to look at internal email (as discussed in the last post).

You have options to integrate the security platform with the email server regardless of whether the email runs in the cloud or not, and whether your security runs in the cloud or not. Just be wary of the complexity of having to manage dozens of email routing rules and ensuring that outbound email from a specific group is sent through the proper gateway/service on the way out. Again, this isn’t overly complicated, but at scale, this requires diligence since if you miss a route, unprotected email results.

Also, keep in mind your integration for internal email scanning will be constrained by the capabilities of the API offered by the email provider. The big email service providers have robust APIs that provide the access you need, but keep that in mind since any integration is dependent on the API.


The enterprise email security gateway is a key part of your security infrastructure, and as such, it should be tightly integrated into the other security controls/tools in use. For instance, you’ll want to integrate with:

  • SIEM: The SIEM tends to be the system of record to aggregate alerts and provide reporting for the security team. Thus, you’ll want to be able to send alerts to the SIEM.
  • Work management: Going hand in hand with the SIEM integration is the ability to send/receive tickets to your work management/operations platform. For example, if the email security service detects a device sending recon emails internally, it would automatically start a ticket/case within the operations platform for a Tier 1 analyst to check it out.
  • SOAR platform: Getting even more sophisticated from an operational perspective is integrating with a Security Orchestration, Automation and Response (SOAR) platform. In this situation, a phishing email would be detected, and the email security service would automatically trigger a response playbook to delete the message, block the phishing web site on the egress web gateway, and check whether any other employees received the phish.

Adjacent Services

As we wrap up the discussion around features and capabilities of your enterprise email security platform, it warrants a discussion about other adjacent capabilities your vendor can provide.

  • Security Awareness Training: Consolidation has started where the email security companies have acquired or partnered security awareness training capabilities. The leverage is clear since it’s more impactful to train an employee right after they’ve clicked on the wrong message or included private data in an email. So having the services work together can be valuable. For more information on awareness training, check out our recent research (Making an Impact with Security Awareness Training)
  • Web Security: Outbound content is content, right? Thus, there should be leverage between the email content analysis and what goes out via Port 80 or 443. Well, not exactly. There are pretty significant differences in terms of latency, decryption, the kinds of exfiltration inherent to email versus web. Thus far, there has been limited value in getting outbound web filtering from your email security vendor, but we expect the email and web security vendors to continue encroaching on each other’s territory.
  • Archiving and eDiscovery: This is less about security and more about convenience. Your email security gateway sees every message going in and out of the enterprise and as such, storing those messages is straight forward. Of course, that minimizes the technical challenges of storing potentially billions of messages at a reasonable cost and being able to maintain chain of custody. The email archive also provides a good platform for eDiscovery since that’s all about granularly searching high volumes of messages quickly, accurately, and being able to provide useful reports. Though ensure your ability to manage the cost of archiving by moving messages to less expensive (less accessible) storage over time.

So that covers the capabilities and feature of the enterprise email security platform. Next, we’ll go through the finer points of evaluating and procuring the products and/or services to wrap up the series.

– Mike Rothman
(0) Comments
Subscribe to our daily email digest

*** This is a Security Bloggers Network syndicated blog from Securosis Blog authored by [email protected] (Securosis). Read the original post at: